Last Updated: 2022-08-28 11:24:43 UTC
by Didier Stevens (Version: 1)
I updated my Cobalt Strike beacon analysis tool 1768.py to deal with false positives in Windows system's memory dumps.
When my tool is given a process memory dump or a system's full memory dump, it will search for the header of a beacon configuration.
This often gives false positives in full memory dumps. I have now introduced a sanity check (option -S), to hide these false positives.
Here is a short howto video.